China prefix hijack
danny at tcb.net
Thu Apr 8 15:20:23 CDT 2010
On Apr 8, 2010, at 11:45 AM, Martin A. Brown wrote:
> Just a note of confirmation that 23724 originated as many as 31847
> prefixes during an 18 minute window starting around 15:54 UTC.
> They were prepending their own AS, and this is several orders of
> magnitude more prefixes than they normally originate.
Interestingly, they re-originated these prefixes - as opposed to
simply leaking them, which means origin AS-based filters (e.g., as
provided by the current RPKI and SIDR work) would have prevented
this (however, origin AS-based filters would NOT have prevented the
i-root incident a couple weeks back). Most of the incidents we see
of this sort with a large number of prefixes are traditional leaks
with path preservation - so that does make one raise an eyebrow.
Of course, even gross "max prefix" policies would have also helped
here to some extent, to at least limit the scope of this incident
to a much smaller number of prefixes.
One might well observe that RFC 1998-esque policies that employ
LOCAL_PREF to prefer prefixes from customers over like prefixes
from peers means that ALL ISPs that employ such policies in that
transit service hierarchy will first ignore the AS path length when
making BGP best path decisions (i.e., if a leaking Chinese provider
were a transit customer of a large U.S. provider and were given BGP
preference as a result, then all of that U.S. ISPs customers will
end up using the Chinese path as opposed to a path learned locally
in the U.S. from a peer). Perhaps it's time to rethink application
of such policies ubiquitously across peers and customers, or to at
least be more selective in such policy application.
Just one more incident to illustrate how fragile the routing system
is, and how broken the current "routing by rumor" model continues to
More information about the NANOG